Jump to content
  • Advertisement
Sign in to follow this  
deadimp

[web] [SOLVED] PHP - Disabling magic_quotes_gpc not seeming to work

This topic is 4258 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

[New Problem] Can't get magic_quotes to turn off... See my second post. [Old - PHP - Safe form processing - "escaped characters"] I'm just now getting into this area: What's the safest way to parse a string from PHP to make it compatible with the value attribute in an input field? Does htmlspecialchars() work with it, or not? [Haven't tested it yet] I notice that sometimes on this forum, the HTML escape sequences are left on the editor... (Or at least I noticed it a couple of times a little while ago). Looking on here, though, it seems to work... Plus, why is it that PHP automatically adds escaped characters to $_POST variables? What I mean is, when I submit text that would evaluate to "Stuff with \"quotes\"", what I would get on the receiving script would be "Stuff with \\\"quotes\\\"", and so on. Is this an option in php.ini? I know it happens on both my test server and the actual server that I'm working with. [Ignore this part - I'm screwing around with the textarea] << >> < > " ' Right above this, when I edited it, it stil displays the tag-chars (< and >) with their escape sequences. [Edited by - deadimp on April 23, 2007 7:01:13 PM]

Share this post


Link to post
Share on other sites
Advertisement
PHP has this much hated feature called magic quotes that will automatically escape characters in your strings. It's not same as using a DB specific escape function, such as mysql_real_escape_string(), pg_escape_string(), etc. Not everyone likes having the strings escaped already since there may be other actions that need to be taken with the text as is.

The feature in php.ini is called magic_quotes and is on by default (unless your web host has disabled it).

You use htmlentities() and htmlspecialchars() when you output HTML. You would typically do this when printing out data that could store characters, such as an ampersand (&) and want to have valid HTML characters. I wouldn't recommend doing this for the information that is stored in the database. The differences between the two can be found on PHP's website.

Also, any function for php can be looked up by typing php.net/[function_name]
Keep this in mind the next time you are thinking of a function but can't recall where you're supposed to specify what argument (some PHP functions mixes the order).

Share this post


Link to post
Share on other sites
I had the function pulled up on the manual, I just hadn't used it that much before and needed to know if there were any better alternatives... [Insert additional hypocritical self-justification]

As for my database stuff, I have the form encode the string appropriately (whether for the value attr, or for the textarea tag), and then on submission I decode the string in the same way. On it's way to the database query, I then encode it for a mysql-safe string.

Thanks for the pointers.
Gotta go change that frickin' INI value.

[New Problem]
Huh... Can't change it. I've tried changing php.ini and restarting Apache, and I've tried 'ini_set' in the script, neither showed any difference when I pulled up 'phpinfo()'....
I've looked at the documentation, and I've set 'magic_quotes_sysbase' to false, so it shouldn't be overriding it (that's actually showing up in the config).

[Edited by - deadimp on April 20, 2007 10:56:45 PM]

Share this post


Link to post
Share on other sites
What OS are you running? Are you sure you're editing the correct php.ini file? I know that with XAMPP installs on Windows, there are four or five php.ini files, with the correct one being located in a sub folder that is under apache.

If you're using Linux and not the XAMPP package, then it can vary on where the file is located. If you're running Linux, type "locate php.ini" and it will give you all instances of that file on the system. If you're running windows, search your system for that file as well (If you're using XAMPP, it's under the apache/something folder).

Share this post


Link to post
Share on other sites
Original post by deadimp

Plus, why is it that PHP automatically adds escaped characters to $_POST variables?

quote]

You mean $_GET?

Since I'm really not sure what you are doing (an example would be best) have you tried just using the stripslashes / addslashes functions?

Share this post


Link to post
Share on other sites
I'm using Xampp on Windows, and I'm fairly certain that the php.ini file used is in xampp\php\php.ini (running PHP 5).

markadrake >> Well, technically $_GET, $_POST, and $_COOKIE.
I'm just using simple forms:
Form:
<form action='file.php' method='post'>
<input name='title' value='Title'><br>
<textarea name='desc'>Stuff goes here<br>
</form>

file.php:
if ($_POST["title"]) {
$title=...; //register_globals is disabled
}




For now, I'm using those two functions, but I guess it would be better for me if I didn't have to worry about stripslashes when retrieving something via post. Since I can't do it on my local server, I'll have to make sure it's still On on the server I'm working with.

Ah, forgot to metion, the flag is "magic_quotes_gpc"... Not sure what it is on PHP 4.x.

Share this post


Link to post
Share on other sites
Aw, crap. Stupid, stupid, stupid me.
I forgot that phpinfo() listed where the config file was, and I was too ign'ant to look there.
Ends up it was in the bin directory of apache.
Thanks for the help.

[Edited by - deadimp on April 22, 2007 5:12:22 PM]

Share this post


Link to post
Share on other sites
See? I told you it was under a sub folder of apache! I had to make this exact change on Thursday in the same scenario [smile]

Share this post


Link to post
Share on other sites
magic_quotes_gpc might well be enabled on your production server - and you might not be able to disable it via the ini file!

My preferred fix is to leave it on in the server configuration, but to add a .htaccess file to the site root containing the line:

php_flag magic_quotes_gpc off

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!